A remote code execution flaw in Google App Engine would qualify for a $20,000 reward under the Google Vulnerability Reward Program, but it's not clear if Security Explorations followed all of the program's rules, which call for advance notice to Google before public disclosure and not disrupting or damaging the tested service.
"We are neither participating in, nor following any Bug Bounty programs," Gowdiak wrote. "Over the last 6 years of activity we have found dozens of security issues that impacted hundreds of millions of people (just to mention Oracle Java flaws) or devices (security issues in set-top-box chipsets). We have never received any reward for our work from any vendor. That said, we don't expect to receive anything this time either."
Sign up for CIO Asia eNewsletters.